On March 12, 2026, the United Sates Court of Appeals for the Ninth Circuit (Ninth Circuit) partially vacated the preliminary injunction by the United States District Court for the Northern District of California (district court) that had blocked the enforcement of the California Age-Appropriate Design Code Act (CAADCA). Several key CAADCA provisions remain enjoined, but the Ninth Circuit’s latest decision allows a number of substantive obligations to take effect as the case returns to the district court for further review.
What Happened: Procedural History
The California Legislature enacted CAADCA in 2022 to protect the “privacy, safety, and well-being of children” who use online services. Originally scheduled to take effect on July 1, 2024, the statute imposes privacy and online safety obligations on businesses offering online services, products, or features (online services) likely to be accessed by California residents under the age of 18 (children).
Before CAADCA took effect, a trade association filed suit on December 14, 2022, challenging the statute primarily on First Amendment grounds. On September 18, 2023, the district court granted a preliminary injunction, blocking enforcement of CAADCA. On appeal, the Ninth Circuit partly upheld the injunction as to CAADCA’s data protection impact assessment (DPIA) provisions but lifted the remainder of the injunction, on August 16, 2024. After the case returned to the district court, however, the court again preliminarily enjoined CAADCA in its entirety on March 13, 2025. This time, the court explained that CAADCA was likely unconstitutional on its face because its applicability depended on the content of online services, creating it an impermissible content-based “coverage definition.”
The Ninth Circuit’s Ruling
In reviewing the second preliminary injunction, the Ninth Circuit disagreed that CAADCA is facially unconstitutional – at least at this stage of the proceeding. Applying the Supreme Court’s framework for facial challenges, the court emphasized that such challenges must evaluate the statute’s “full set of applications.” To succeed, a challenger must demonstrate that unconstitutional applications substantially outweigh constitutional ones. The Ninth Circuit concluded that the trade association had not met this burden because its analysis on CAADCA applications largely focused on social media platforms and did not adequately account for how CAADCA might apply to other types of online services. As a result, the Ninth Circuit vacated the district court’s broad injunction that was based on the facial First Amendment challenge.
What Remains Enjoined
Although the Ninth Circuit rejected the facial First Amendment challenge, it agreed that several CAADCA provisions are unconstitutionally vague. Specifically, the court found that certain key terms such as “materially detrimental,” “well-being,” and “best interests of children” fail to provide businesses meaningful understanding on what conduct is prohibited. Key provisions that remain enjoined following the Ninth Circuit’s ruling include:
- Data Protection Impact Assessment. The requirement to (1) conduct and document a DPIA before offering an online service likely to be accessed by children, assessing and mitigating risks arising from the online service; (2) review and update DPIAs every two years; and (3) provide DPIAs to California Attorney General upon request.
- Material Detriment. The prohibition on processing children’s personal information in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child.
- Profiling. The prohibition on profiling children, meaning any form of automated processing of personal information to evaluate the children’s preferences, interests, behavior, location, movements, and similar characteristics, by default.
- Data Minimization and Purpose Limitation. The prohibition against processing children’s personal information (1) that is not necessary to provide an online service with which the children are actively and knowingly engaged; or (2) for any reason other than the original purpose for which the personal information was collected.
What Key Obligations Are Now in Effect
With the partial lifting of the injunction, several CAADCA requirements are now effective and enforceable. These requirements include:
- Age Estimation. Businesses that offer online services likely to be accessed by children must either implement age estimation or treat all users of the online service as children. Personal information collected for age estimation may not be used for any other purpose or retain it for longer than necessary.
- Default Privacy Settings. Online services must configure default privacy settings applicable to children that provide a high level of privacy.
- Age-Appropriate Disclosures. Privacy notices, terms of service, policies, and community standards must be provided in clear language appropriate for the age of children likely to access the online service.
- Tools for Children and Parents. Privacy tools must be provided to allow children and their parents or legal guardians to exercise their privacy rights and report concerns.
- Transparency Signals to Children. An obvious signal must be shown to children when (1) they are being monitored or tracked on the online service; or (2) their precise geolocation data is being collected.
What Comes Next
The Ninth Circuit has sent the case back to the district court for further proceedings. In the meantime, several CAADCA requirements are now effective and enforceable. Businesses that offer online services to California residents should assess, if they have not done so, whether CAADCA applies to their operations and take steps to align their practices with the CAADCA requirements currently in effect.
Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to monitor developments around laws and regulations involving children’s online privacy and safety, including the trade association’s ongoing challenge against CAADCA. Please contact us if you have any questions.
